Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-x9r1psvfqb
Target ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N
SHA256 ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373

Threat Level: Likely malicious

The file ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4365) files with added filename extension

Renames multiple (3257) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:33

Reported

2024-10-05 19:35

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe"

Signatures

Renames multiple (4365) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe

"C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/4768-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

MD5 e1e0ae3a03c0f67cc244fe0c6fe09433
SHA1 e2f8d15617826c4928a869fb71eeba49f13cee07
SHA256 711a34968fbf60af781c195302509c3f4e30413cb68ad129bc4ed427f5017bd0
SHA512 03ff6eaf3cf68140bac52f398aef3e6c0bff53d3720408bcc345b12072a2ac31f5f65449bc3eabdc05be19c1f3915d2149a1f9624ecaa6ed2520a63c25859734

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 788bacc8a2d57bbf4fc57689425ce9d2
SHA1 676dd8087f19bff43bf60b38b69a28c38dc71be7
SHA256 57deede9d94c8be66c4636d163b762eb7d1633006d2221278a79d30c7242e26a
SHA512 40e71a15a277a9afe86c122427e17b4321af7ddf9ca4d4247a92c06c1920482ad1e9412f6e6175bd15b4cb488c772488f53b03a9ddcc3a029df789f8dab2e409

memory/4768-856-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:33

Reported

2024-10-05 19:35

Platform

win7-20240903-en

Max time kernel

120s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe"

Signatures

Renames multiple (3257) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre7\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Martinique.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\DVD Maker\Shared\Parity.fx.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe

"C:\Users\Admin\AppData\Local\Temp\ec17bd5a1137d757c2ad04d84afd1d2490a8d516279df71f9acaf56d791df373N.exe"

Network

N/A

Files

memory/2668-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 ae17117022cfb0a74f108199a3d34b91
SHA1 e93a99e5a76c6aba70cc68edb436c195dda9508f
SHA256 2ab3e343fd9d9068118ceb8d6a707d10e0069442c49409e0158e2d2f67a8a620
SHA512 f15a896a75aa2a819b2f4e52f9d25dd29e9ff584d36274289233fe30a0a29649cbdeb09252599bff9b2ce62ec96b2aa901859743524edf43b9d3198527d4e76c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a4e57cac7fdf225320ed494bd19019c0
SHA1 e9f6f59ca82173ed4b521b3f5e4405cb20a6f127
SHA256 e96f2b62dcaabfd2056115454f0ebbd73a1c13847bcce3415d9cbf414db07ec5
SHA512 923f104de9c258f87bb997796eab5ac35b566aa5ff734a01216cdd03bd3307b3db3a6e98637d70da1f85f46bceddf66762b6bc13443014d45116609876a55c9d

memory/2668-70-0x0000000000400000-0x000000000040B000-memory.dmp